How do you measure how mature your vendor security risk assessment program is? How do you measure your ability to lead or develop such a program?

Would it be safe to say that a majority of breaches are a direct result of vendors and the inability of companies to properly continuously vet and validate their trust in these same vendors?

They say it’s not about if you’ll be breached but when. Let’s put it this way – there are certainly many steps you can take to significantly reduce this risk on your watch and help you get a better night’s sleep.

So to better measure your skills to get your arms around this monster, here’s a questionnaire to help you out. The test does not aim to cover everything but gives you a good idea of where you stand. Feel free to modify it to fit your Enterprise’s needs.

There are 25 questions, each with a maximum of 2 points.

Please note that many people would say “yes” to every question below when asked about the application of these guidelines to their internal environment.  The purpose of this test is to see how much you’ve considered applying them to your vendor evaluations.

When you’re done, just multiply the total score by 2 to obtain the percentage that is your final score.

You may ask what percent is a good one. It’s all about knowing your shortcomings and what’s right for your business.

Assign a number from 0 to 2 for each question.  The following is the meaning for each response:

0 = No or Not Applicable

1 = Somewhat or Partially Proficient

2 = Yes

  1. How well do you know the ISO/IEC 27001:2013 standard? (0/1/2)
  2. Do you use a SaaS-based risk management solution instead of passing around a security questionnaire spreadsheet to your vendor? (0/1/2)
  3. Do you have a complete list of your vendors who require a risk assessment? (0/1/2)
  4. Do you know which ones represent a high residual risk to your Enterprise? (0/1/2)
  5. Do you have an idea what constitutes sensitive data in your organization? (0/1/2)
  6. Do you have a Right to Audit clause in contracts with your high-risk vendors? (0/1/2)
  7. Can you list which of your vendors and subcontractors host, transmit, or process your sensitive data? (0/1/2)
  8. Is your vendor incident management program well documented showing swift escalation and notification to your company in case of incidents that may affect your company? (0/1/2)
  9. Can you tell which of your vendors present an externally facing web site for your customers and employees? (0/1/2)
  10. Do you know which of your vendors have local access to your network (within premises)? (0/1/2)
  11. Do you know which of your vendors have remote access to your network within the U.S.? (0/1/2)
  12. Do you know which of your vendors have remote access to your network from outside of the U.S.? (0/1/2)
  13. Can you read a penetration test report or vulnerability assessment report conducted on the vendor’s network or application?  (0/1/2)
  14. Can you read a vendor’s SSAE16 report? (0/1/2)
  15. Do you request a number of documents from your high and moderate risk vendors for proper due diligence? (0/1/2)
  16. Do you perform thorough vendor remote security risk assessments (table-top)? (0/1/2)
  17. Do you perform thorough vendor onsite security risk assessments (at the vendor’s site or data center)? (0/1/2)
  18. Do you have an active onsite security assessment program in place? (0/1/2)
  19. Are you able to read your vendor’s network diagram with security controls? (0/1/2)
  20. Do you have a checklist of what to look for when reviewing various vendor policies and procedures, such as, the Infosec policy, incident management, change management, etc.? (0/1/2)
  21. Are comprehensive security provisions included in new vendor service agreements/contracts? (0/1/2)
  22. Are your high risk vendors being continuously monitored (e.g. on an annual basis)? (0/1/2)
  23. When doing a remote or onsite security risk assessment, do you collect evidence/artifacts to verify a vendor’s documented process or procedure? (0/1/2)
  24. Have you aggressively reached out to your vendors for the Heartbleed, Shellshock, and POODLE vulnerability remediation plan and resolution? (0/1/2)
  25. Do you engage/educate the business owners, Legal and Finance so that security risk assessments are incorporated at the very beginning of a vendor engagement? (0/1/2)


Leave a Reply